Immigration Data Breach Privacy Complaint
Read the determination.
Notice to all persons in immigration detention on 31 January 2014
The closing date for submissions was 4.00 pm on 19 October 2018.
On 10 February 2014, the Department of Immigration and Border Protection (now the Department of Home Affairs) (Department) published, in error, a detention report on its website that contained embedded personal information (Data Breach). More information about the Data Breach is available here.
The report contained the personal information of all 9,258 persons who, as at 31 January 2014, were in immigration detention.
The personal information disclosed in the Data Breach consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons which led to the individual becoming an unlawful non-citizen under the Migration Act 1958.
On 30 August 2015, a representative complaint was made to the Office of the Australian Information Commissioner (OAIC) on behalf of all persons whose information was published by the Department in error (Group Members). The complaint requested the Department provide an apology and compensation.
In the complaint, which was initially made as an individual complaint, the Representative Complainant referred to the Data Breach, and advised that as they were in immigration detention in January 2014, they had reason to believe their personal information was disclosed by the Department.
On 10 October 2018 the Commissioner made a decision to substitute the representative complainant with another individual within the class, represented by Slater and Gordon, on the basis that the original representative complainant is deceased. The Commissioner considered submissions about this issue from two individuals who sought to be substituted and substituted the person who was best able to represent the interests of the class. Information about Slater and Gordon is available on their website.
The Commissioner is preparing to make a determination on this matter under s 52 of the Privacy Act 1988 (Cth), in which she will consider whether a remedy, including any compensation, should be awarded to any individual Group Member who has suffered loss or damage as a result of the Data Breach.
To assist the Commissioner to determine whether individual Group Members should be awarded compensation, OAIC is seeking information from individuals who were:
- in immigration detention (including Immigration Detention Centres, community placements, and alternative places of detention) on 31 January 2014, and
- suffered any loss or damage as result of the Data Breach.
Frequently Asked Questions
Do I need to respond to this Notice?
You need to respond to this Notice if you were in immigration detention on 31 January 2014 and you have suffered any loss or damage as a result of the Department’s Data Breach.
The Commissioner will consider whether you are entitled to any remedy, including any compensation, from the Department based on the information and evidence you provide.
If you have not suffered any loss or damage as a result of the Data Breach, you will not be entitled to compensation and you do not need to respond to the Notice.
You also need to respond to the Notice if you wish to ‘opt out’ of the Representative Complaint. If you ‘opt out’ of the Representative Complaint, your complaint will not be considered as part of the Representative Complaint.
If you wish to make an individual complaint about the Data Breach, you need to ‘opt out’ of the Representative Complaint before doing so.
What is ‘loss or damage’?
Loss or damage can include any kind of physical or emotional harm, including stress and anxiety, or any negative impact on your mental or physical health as a result of the Data Breach. It can include injury to feelings or humiliation. It can also include financial harm.
The Commissioner can only assess actual loss or damage you have suffered, and not potential or future loss or damage.
Do I need to provide information about anything other than loss or damage suffered by me as a result of the Data Breach?
No. The Commissioner has already been provided with submissions on behalf of Group Members and the Department in relation to the Data Breach, upon which the Commissioner has formed a preliminary view that the Data Breach did in fact occur, and the personal information of a number of individuals was disclosed as a result of the Data Breach. The Commissioner does not seek any further information from any Group Member in relation to this issue.
I am unsure if the Representative Complaint applies to me
If you were in immigration detention on mainland Australia or on Christmas Island as at midnight 31 January 2014, the Representative Complaint extends to you as a ‘Group Member’.
Group Members include the 5,867 people who were in immigration detention facilities and alternative places of detention (including 3,967 people in immigration detention on the mainland and 1,900 in immigration detention on Christmas Island) as well as the 3,391 people who were living in the community under a residence determination, as at midnight 31 January 2014.
Individuals who were in regional (offshore) processing centres (including the Republic of Nauru and Manus Province, Papua New Guinea) on 31 January 2014 were NOT affected by the Data Breach, and should not respond to this Notice.
If you are unsure about whether you were in immigration detention on 31 January 2014, you should confirm this with the Department before providing your response.
The Department will also have an opportunity to verify that your personal information was involved in the Data Breach after you have made a submission or submitted evidence.
Can my representative respond on my behalf?
Yes, your representative may provide your response on your behalf. However, you should provide your representative with information about your loss or damage in your own words.
Can an estate provide a response on behalf of a deceased person?
Can I provide submissions as well as evidence?
Yes, you may provide submissions as well as any available supporting information or evidence to support your claim.
What kind of information or evidence can I provide to support my claim?
You should provide any information you consider to be relevant to the loss or damage you have suffered. Information may be provided in any form you see fit. By way of guidance only:
- evidence may include a statutory declaration or signed statement in your own words;
- evidence may be from the time of the Data Breach or when you first found out about the Data Breach;
- evidence may include medical reports;
- limited weight may be given to evidence in standard forms and medical reports prepared after the date of this Notice.
How do I provide a Statutory Declaration?
Statutory Declarations can be downloaded on the Attorney General’s Department website at https://www.ag.gov.au/
If you would like to provide a Statutory Declaration, please print out a copy of the form. Then, in your own words, describe how the Department’s Data Breach has caused you loss or damage (which may include physical, emotional or financial harm).
You need to sign your Statutory Declaration in front of an authorised witness. The second page of the Statutory Declaration explains who can witness your statement (including pharmacists and medical practitioners, for example).
If you cannot easily complete a Statutory Declaration (for example, because you are outside Australia and do not have access to an authorised witness), you could instead provide a signed statement or letter to the Commissioner describing how the Data Breach has affected you.
How can I obtain from the Department my medical records from the time of the Data Breach, or other information regarding the loss or damage I suffered as a result of the Data Breach?
Please visit https://www.homeaffairs.gov.au for further information about requesting information, including medical or other records, from the Department.
You are encouraged to request any information you need from the Department as soon as possible, because the Department may require 3–4 weeks to process your request.
The Department can only provide you with personal records that it holds for you. If you are seeking records in relation to services provided while you were in community detention, you will need to approach the relevant service provider directly.
How long do I have to respond?
Submissions have now closed.
What happens if I opt out of the Representative Complaint?
If you opt out of the Representative Complaint, any determinations made by the Commissioner in relation to the Representative Complaint will not apply to you.
If you have known about the Data Breach for more than 12 months, and have not already made an individual complaint to the Commissioner about it, the Commissioner may decide not to investigate any new complaint made by you if you opt out of the Representative Complaint.
I wasn’t aware of the Data Breach, do I need to respond?
The information that the Department published is no longer online. Information about the publication of the data and its removal is available on the Department’s website.
If you have not experienced loss or damage as a result of the Data Breach, you do not need to respond to the Notice.
I am from a refugee and asylum seeker support organisation, how can I help Group Members?
If your organisation wishes to provide free support to Group Members in responding to this Notice or corresponding with the OAIC, please contact us at firstname.lastname@example.org, and we can make your details available on our website.
What will the OAIC do with my response?
The OAIC is collecting your response for use in the Representative Complaint. The OAIC and the Commissioner will review your response. A copy of your response will also be given to the Department, who is the respondent. Please see the privacy notice on the Response Form for more information about how we will handle your personal information.
If you have any further enquiries about this matter, you may contact the OAIC Enquiries Line on telephone 1300 363 992 (between 10am–4pm Australian Eastern Standard Time), or by email to email@example.com.
Assistance in languages other than English
If you require further assistance about this matter in a language other than English, please call the Translating and Interpreting Service on 131 450 then ask for 1300 363 992.
Note: These calls can be made for a local call cost from fixed residential landlines anywhere in Australia, but calls from mobile and pay phones may incur higher charges.
Translations of Notice
- English version
- Arabic version
- Azerbaijani version
- Bengali version
- Burmese version
- Cantonese version
- Dari version
- Hazaragi version
- Hindi version
- Indonesian version
- Kurdish version
- Mandarin version
- Pashto version
- Persian version
- Punjabi version
- Sinhalese version
- Sylheti version
- Tamil version
- Urdu version
- Uzbek version
- Vietnamese version